Member login with email
#
Why session based login- user can see the list of devices he is logged in from.
- user can terminate a session and invalidate a login token anytime.
- While entering credentials , password is sent in encrypted form over the wire.
- Challenge based authentication to avoid/slow down brute force attacks.
#
APIFor any client app to perform login and generate a login token, the client app must first request a challenge. Following is the api to request challenge data.
HEADERS
x-redirect-link : \<Redirect link after successfull login>
Ex - /v2/session/challenge/abc@xyz.com
#
Response{ "_id": "5b643fe372ad9f7221f8b958", "type": "USER", "status": "INITIATED", "details": { "pow_secret": "4962", "pow_salt": "d8b9b3f2bd6e1d0052d1b96153b22add4e07f2ccdc0a5bf0b106700c6f03763d", "pow_hash_prefix": "b1550351b3", "pow_done": false, "_id": "5b643fe372ad9fc311f8b959", "pow_rounds": 100000, "key_length": 32 }, "expiring": 1533296911.824, "__v": 0}
#
Response FieldsFields | Description | Required |
---|---|---|
_id | string Session id | โ |
details.pow_secret | string The number from where the guessing needs to be started | โ |
details.pow_salt | string Salt for pbkdf2 algorithm | โ |
details.pow_hash_prefix | string Prefix of the correct key | โ |
details.pow_rounds | int Number of rounds for pbkdf2 | โ |
details.key_length | int Key length to generate after pbkdf2 | โ |
#
Steps for guessing the keyStart with pow_secret current value and store it in a variable 'secret'.
Perform pbkdf2 and store the result in a variable called 'key'.
pbkdf2(secret, pow_salt, pow_rounds, key_length, 'sha512').
See if the newly derived 'key' has the same prefix as 'pow_hash_prefix', if yes then this is the correct key and your guessing is done. If the prefix does not match increment secret i.e. secret = secret+1 and go back to step 1.
Keep doing until u guess the correct key.
#
Steps for encrypting the passwordThis step assumes that you have already guessed the correct encryptiong key by following the steps in the previous section
You have to encrypt the user's password using the key derived in the previous section.
The algorithm to encrypt the password is 'aes-256-cbc'.
Here is the sample code to encrypt password in nodejs.
async function encryptPassword(password: string, key: Buffer, iv: Buffer): Promise<string> { let cipherName = "aes-256-cbc"
let cipher = crypto.createCipheriv(cipherName, key, iv); cipher.setAutoPadding(true); let crypted = cipher.update(password, "utf8", 'hex') crypted += cipher.final('hex') return crypted;}
let iv = crypto.randomBytes(16);let encryptedPass = await encryptPassword(pwd, key, iv);
#
Verifying the challengeThis step assumes u have performed the steps in above mentioned sections
URL for verifying challenge is
#
Request{ "id":"5b643fe372ad9f7221f8b958", "refNo":"iv converted into hex string", "password":"encrypted password"}
#
Response{ "token":"<token>"}